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(1) Real Party in Interest 

A statement identifying by name the real party in interest is contained in the brief. 

(2) Related Appeals and Interferences 

The examiner is not aware of any related appeals, interferences, or judicial 
proceedings which will directly affect or be directly affected by or have a bearing on the 
Board's decision in the pending appeal. 

(3) Status of Claims 

The statement of the status of claims contained in the brief is correct. 

(4) Status of Amendments After Final 

The appellant's statement of the status of amendments after final rejection 
contained in the brief is correct. 

(5) Summary of Claimed Subject Matter 

The summary of claimed subject matter contained in the brief is correct. 

(6) Grounds of Rejection to be Reviewed on Appeal 

The appellant's statement of the grounds of rejection to be reviewed on appeal is 
correct. 

(7) Claims Appendix 

The copy of the appealed claims contained in the Appendix to the brief is correct. 

(8) Evidence Relied Upon 

6,453,353 Winetal. 9-2002 

6,834,272 Naoretal. 12-2004 
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(9) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 
Claims 23-25 and 27-32 are rejected under 35 U.S.C. 102(e) as being 
anticipated by United States Patent No. 6,453,353 to Win et al., hereinafter Win. 

1 . Regarding claim 23, Win teaches a method for providing attribute data, said 

method comprising: 

receiving a request from a user device via a network for a virtual ID token relating to 
attribute information pertaining to a subscriber associated with the user device (Figures 
5A, 5C, column 2, lines 42-67); 

responsive to the request for the virtual ID token, reading a data record from a 
database, said data record comprising L attributes of the subscriber, L being at least 2 
(Figures 5a, 5b and 5e, column 10, lines 14-26 and 41-55, column 11 and lines 42-64); 
providing the data record to the user device via the network (Figures 1 , 2 and 6-8, 
column 5, lines 1-12, 66 and 67, column 6, lines 1-16 and column 26, lines 14-67, 
"remote computer can load the instructions into its dynamic memory and send the 
instructions over a telephone line via a modem" "Communication interface 918 provides 
a two-way data communication coupling to a network link 920 that is connected to a 
local network 922" and "Network link 920 typically provides data communication through 
one or more networks to other data devices"); 

receiving, from the user device via the network, a selection of M attributes of the L 
attributes, M being less than L (Figure 10b, column 26, lines 14-67, "remote computer 
can load the instructions into its dynamic memory and send the instructions over a 
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telephone line via a modem", "Communication interface 918 provides a two-way data 
communication coupling to a network link 920 that is connected to a local network 922" 
and "Network link 920 typically provides data communication through one or more 
networks to other data devices"); 

generating a virtual record including the M attributes selected from the data record, said 
virtual record comprising a virtual ID (VID)for identifying the virtual record (Figures 10a- 
10c, column 12, lines 32-55 and column 15, lines 35-52); 

storing the generated virtual record in the database (column 3, lines 7-40, "storing, in 
the database an association of each resource to one or more of the roles", column 5, 
lines 13-20, column 12, lines 32-55 and column 15, lines 35-52); 
and providing the virtual ID token to the user device via the network, wherein the virtual 
ID token comprises the VID (Figures 1 , 2 and 6-8, column 2, lines 42-67, column 5, 
lines 1-12 and column 26, lines 14-67, "remote computer can load the instructions into 
its dynamic memory and send the instructions over a telephone line via a modem" 
"Communication interface 918 provides a two-way data communication coupling to a 
network link 920 that is connected to a local network 922" and "Network link 920 
typically provides data communication through one or more networks to other data 
devices"), 

wherein an attribute information providing server performs said receiving the request for 
the virtual ID token, said reading the data record from the database, said providing the 
data record to the user device, said receiving the selection of M attributes, said 
generating the virtual record, said storing the generated virtual record in the database, 
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and said providing the virtual ID token to the user device (column 3, lines 7-40, "storing, 
in the database an association of each resource to one or more of the roles", column 5, 
lines 1 3-20, column 1 1 , lines 42-64, column 1 2, lines 32-55 and column 1 5, lines 35- 
52). 

2. Regarding claim 24, Win teaches receiving a request comprising the VID for 
attribute information associated with the VID from an attribute information receiving 
apparatus via the network (Figures 10a-10c, column 12, lines 32-55 and column 15, 
lines 35-52); 

reading the virtual record from the database in response to the request comprising the 
VID (column 3, lines 7-40, "storing, in the database an association of each resource to 
one or more of the roles", column 5, lines 13-20, column 11, lines 42-64, column 12, 
lines 32-55 and column 15, lines 35-52); 

and after said reading, providing the virtual record to the attribute information receiving 
apparatus via the network (Figures 1 , 2 and 6-8, column 2, lines 42-67, column 5, lines 
1-12 and column 26, lines 14-67, "remote computer can load the instructions into its 
dynamic memory and send the instructions over a telephone line via a modem" 
"Communication interface 918 provides a two-way data communication coupling to a 
network link 920 that is connected to a local network 922" and "Network link 920 
typically provides data communication through one or more networks to other data 
devices"), 

wherein the attribute information providing server performs said receiving the request 
comprising the VID, said reading the virtual record from the database, and said 
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providing the virtual record to the attribute information receiving apparatus (column 2, 
lines 42-67, column 3, lines 7-40, "storing, in the database an association of each 
resource to one or more of the roles", column 5, lines 13-20, column 12, lines 32-55 and 
column 15, lines 35-52). 

3. Regarding claim 25, Win teaches wherein said providing the virtual record to the 
attribute information receiving apparatus is performed in manner that ensures that the 
virtual ID is concealed from the attribute information receiving apparatus when the 
virtual record is received by the attribute information receiving apparatus (Figures 3b, 
3c, 4, 5a-5e and 6, column 6, lines 41-54, column 8, lines 23-63, column 9, lines 41-60 
and column 10, lines 41-63). 

4. Regarding claim 27, Win teaches after said providing the virtual record to the 
attribute information receiving apparatus: 

providing, by the attribute information providing server, an attribute certificate to the 
attribute information receiving apparatus in relation to a new transaction between the 
subscriber and the attribute information receiving apparatus, wherein the attribute 
certificate pertains to the M attributes in the virtual record provided to the attribute 
information receiving apparatus (column 5, lines 66 and 67, column 6, lines 1-9, column 
17, lines 28-37, column 19, lines 56-63 and column 22, lines 41-46). 

5. Regarding claim 28, Win teaches wherein the attribute information providing 
server comprises: 

a customer record display unit for displaying the virtual record (Figures 10a-10c, column 
17, lines 52-67 and column 18, lines 14-27); 
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an attribute selection unit for extracting the M attributes from the data record prior to 
said generating the virtual record (Figures 10a-10c, column 12, lines 32-55, column 15, 
lines 35-52 and column 16, lines 13-58); 

a virtual record generation unit for performing said generating the virtual record (Figures 
10a-10c, column 12, lines 32-55, column 15, lines 35-52 and column 16, lines 13-58); 
a VID token issue unit for performing generating the virtual ID token prior to said 
providing the virtual token ID to the user device (Figures 5a, 5b and 5e, column 2, lines 
42-67, column 10, lines 14-26 and 41-55, column 11 and lines 42-64); 
a virtual record referencing unit for referencing the virtual record based on the VID prior 
to said providing the virtual record to the attribute information receiving apparatus 
(Figures 10a-10c, column 12, lines 32-55, column 15, lines 35-52 and column 16, lines 
13-58); 

and a virtual record issue unit for performing said providing the virtual record to the 
attribute information receiving apparatus (Figures 1, 2 and 6-8, column 2, lines 42-67, 
column 5, lines 1-12 and column 26, lines 14-67, "remote computer can load the 
instructions into its dynamic memory and send the instructions over a telephone line via 
a modem" "Communication interface 918 provides a two-way data communication 
coupling to a network link 920 that is connected to a local network 922" and "Network 
link 920 typically provides data communication through one or more networks to other 
data devices"). 

6. Regarding claim 29, Win teaches wherein the VID token further comprises a 
URL of the attribute information providing server (Figures 3a-3c, column 5, lines 13-21, 
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66 and 67, column 6, lines 1-9 and 58-65, column 7, lines 45-57, column 8, lines 5-63 
and column 14, lines 34-43 and 56-67). 

7. Regarding claim 30, Win teaches wherein the attribute information providing 
server is selected from the group consisting of a financial institution, an Internet 
Service Provider (ISP), and a shopping site on the network (column 26, lines 44-67). 

8. Regarding claim 31 , Win teaches receiving a selection of M1 attributes of the L 
attributes in the data record, wherein the M1 attributes are not identical to the M 
attributes (Figure 10b, column 3, lines 7-40, "storing, in the database an association of 
each resource to one or more of the roles", column 5, lines 1 3-20, column 1 1 , lines 42- 
64, column 12, lines 32-55, column 15, lines 35-52 and column 26, lines 14-67, 
"remote computer can load the instructions into its dynamic memory and send the 
instructions over a telephone line via a modem" "Communication interface 918 
provides a two-way data communication coupling to a network link 920 that is 
connected to a local network 922" and "Network link 920 typically provides data 
communication through one or more networks to other data devices"); 

and storing a second virtual record in the database, wherein the second virtual record 
comprises the M1 attributes, and wherein the attribute information providing server 
performs said receiving the selection of M1 attributes and said storing the second virtual 
record in the database (column 3, lines 7-40, "storing, in the database an association of 
each resource to one or more of the roles", column 5, lines 1 3-20, column 1 1 , lines 42- 
64, column 12, lines 32-55 and column 15, lines 35-52). 
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9. Regarding claim 32, Win teaches wherein the data record comprises a globally- 
unique ID (GID) serving as a primary key of the data record, wherein the VID is a 
primary key of the virtual record, and wherein the VID is independent of the GID 
(Figures 10a-10c, column 12, lines 32-55, column 15, lines 35-52 and column 16, lines 
13-58). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1 , 148 
USPQ 459 (1966), that are applied for establishing a background for determining 
obviousness under 35 U.S.C. 103(a) are summarized as follows: 

1 . Determining the scope and contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating 
obviousness or nonobviousness. 

Claim 26 is rejected under 35 U.S.C. 103(a) as being unpatentable over Win as 

applied to claim 23, as cited above, and further in view of United States Patent No. 

6,834,272 to Naor et al., hereinafter Naor. 

10. Win significantly discloses the claimed invention as cited within claim 23; 
however Win fails to disclose the limitation found within claim 26. Naor discloses this 
limitation, as cited below. 
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1 1 . Therefore, it would have been obvious to one of ordinary skill in the art at the 
time the invention was made to incorporate the teachings of Naor within the teachings 
of Win in order for "any number of parties, via a center, to collectively compute any 
function in a manner that preserves the privacy of the individual private inputs of the 
parties to the collective computation, even after the computation of the function has 
been completed" (Naor- column 4, lines 46-58). 

12. Regarding claim 26, Naor teaches wherein said providing the virtual record to 
the attribute information receiving apparatus is performed using a 1-out-of-N OT 
(Oblivious Transfer) protocol (Figure 5, element "532" and Figure 7, element "712", 
column 1 1 , lines 30-67, column 1 2, lines 1 -3 and 34-44, column 1 3, lines 42-55, 
column 17, lines 35-66 and column 19, lines 52-64). 

(10) Response to Argument 
Argument A: "Win does not teach the feature: 'receiving a request from a user 
device via a network from a virtual ID token relating to attribute information 
pertaining to a subscriber associated with the user device'". 
Though Win does not sufficiently disclose "a virtual ID token", it is upheld that the cited 
sections of Win sufficiently disclose the composition of the Appellant's "virtual ID 
token". On page 3 of the Appellant's Appeal Brief, it is stated that the "virtual ID token 
comprises the VID. See specification, page 14, lines 10-11". However, the Appellant's 
Specification does not further define as to what the "virtual ID token" is, but rather its 
composition. Therefore, the claimed "virtual ID token" lacks a sufficient written 
description and support. Thus, the claimed composition, (i.e. "attribute information") is 



Application/Control Number: 10/568,513 Page 1 1 

Art Unit: 2431 

analogous to Win's disclosure of, inter alia, "roles", "profile information", "user's name 
and password" and so forth, as previously-cited. 

Further, a token is an encrypted identification of one valid user or group on an external 
authentication system. On page 13 of the Appellant's Specification, it is stated that "In 
the general acquirement, the attribute information receiving apparatus 50 connects to 
the attribute information providing server 10 by using the URL included in the VID token, 
presents the VID, and acquires the virtual record." Win discloses this within, but not 
limited to, column 3, lines 7-40, "storing, in the database an association of each 
resource to one or more of the roles", column 5, lines 13-20, column 6, lines 58-65, 
column 8, lines 47-63, column 12, lines 32-55 and column 15, lines 35-52. 
Additionally, the Examiner maintains the above-cited grounds of rejection, in particular 
but not limited to Figures 1, 2 and 6-8, column 5, lines 1-12, column 17, lines 28-38, 
"secure token" and column 26, lines 14-67, "remote computer can load the instructions 
into its dynamic memory and send the instructions over a telephone line via a modem" 
"Communication interface 918 provides a two-way data communication coupling to a 
network link 920 that is connected to a local network 922" and "Network link 920 
typically provides data communication through one or more networks to other data 
devices". 

Argument B: "Win does not teach the feature: 'responsive to the request for the 
virtual ID token, reading a data record from a database, said data record 
comprising L attributes of the subscriber, L being at least 2"'. 
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The Examiner maintains the above-cited grounds of rejection, in particular but not 
limited to Figures 5a, element "508", 5b and 5e, column 10, lines 14-26, "Registry 
Server 108 returns the result of verifying the user's name and password" and 41-55, 
"profile information may comprise the user's name, locale information, IP address, and 
information defining roles held by the user", column 1 1 and lines 42-64. 
Regarding the Appellant's assertion that the citations within Win do "not teach that the 
user profile comprises at least 2 attributes, as required by claim 23", the Examiner 
respectfully disagrees and interprets that the claimed "L attributes of the subscriber" 
pertain to the "profile information" as disclosed by Win. 

Argument C: "Win does not teach the feature: 'providing the data record to the 
user device via the network"'. 

The Examiner maintains the above-cited grounds of rejection, in particular but not 
limited to, column 5, lines 1-12, 66 and 67, column 6, lines 1-16 and 58-65, "Runtime 
Module decrypts information in the cookie and uses it to verify that the user is 
authorized to access the resource. The cookie is also used by the resource to return 
information that is customized based on the user's name and roles" and column 26, 
lines 14-67, "remote computer can load the instructions into its dynamic memory and 
send the instructions over a telephone line via a modem" "Communication interface 918 
provides a two-way data communication coupling to a network link 920 that is 
connected to a local network 922" and "Network link 920 typically provides data 
communication through one or more networks to other data devices". 
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Argument D: "Win does not teach the feature: 'receiving, from the user device, via 
the network, a selection of M attributes of the L attributes, M being less than L'". 

The Examiner asserts that Win discloses this claimed feature, as cited above and 
further in view of column 3, lines 7-25, "the receiving step further comprises the steps of 
storing, in a database accessible by the Web application server, information describing 
one or more roles and one or more access rights of the user that are stored in 
association with user identifying information, wherein the roles represent the work 
responsibilities carried out by the user in the enterprise, and wherein the access rights 
represent the kinds and levels of access privileges that are held by the user in the 
enterprise". The "one or more roles and one or more access rights of the user" are 
received and are "in association with user identifying information". The "user identifying 
information" isn't sent along with said "roles" or "access rights", thus said "roles" and 
"access rights" would be the claimed "M attributes". 

Further, within column 6, lines 41-54, a "name and password" are given to an 
"Authentication Client Module" for verification purposes. Those two pieces of 
information constitute "attributes" and since only those two pieces are given and not 
additional information (i.e. roles), the claimed "M attributes" are disclosed by said "name 
and password" as well. 

Argument E: "Win does not teach the feature: 'generating a virtual record 
including the M attributes selected from the data record, said virtual record 
comprising a virtual ID (VID) for identifying the virtual record'". 
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The Examiner maintains the above-cited grounds of rejection and further states that Win 
additionally discloses the claimed invention within column 10, lines 41-55, "profile 
information may comprise the user's name, locale information, IP address, and 
information defining roles held by the user". Said "profile" being the Appellant's claimed 
"virtual record". 

Argument F: "Win does not teach the feature: 'storing the generated virtual 
record in the database'". 

The Examiner asserts that Win discloses said "storing the generated virtual record in 
the database" as cited within column 3, lines 7-40, "storing, in the database an 
association of each resource to one or more of the roles", column 5, lines 13-20, 
"central repository", column 12, lines 32-55, "Registry Repository 1 10 is the primary 
data store for the system 2. It contains data on Users, Resources, and Roles and 
configuration information required for the system 2 to function. Selected data, for 
example, passwords, are stored in Registry Repository 1 10 in encrypted form" and 
column 15, lines 35-52, "An administrator may complete and submit the data entry form 
for each individual user to be defined. In response, Registry Server 108 stores 
information defining the user in the Registry Repository 110." The claimed "database" 
is sufficiently disclosed by the, inter alia, "Registry Repository" of Win. 
Argument G: "Win does not teach the feature: 'providing the virtual ID token to 
the user device via the network, wherein the virtual ID token comprises the VID'". 
With regards to this argument, the Examiner maintains the above-cited grounds of 
rejection, in particular but not limited to Figures 1, 2 and 6-8, column 5, lines 1-12, 
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column 17, lines 28-38, "secure token" and column 26, lines 14-67, "remote computer 
can load the instructions into its dynamic memory and send the instructions over a 
telephone line via a modem" "Communication interface 918 provides a two-way data 
communication coupling to a network link 920 that is connected to a local network 922" 
and "Network link 920 typically provides data communication through one or more 
networks to other data devices". 

Further, a token is an encrypted identification of one valid user or group on an external 
authentication system. On page 13 of the Appellant's Specification, it is stated that "In 
the general acquirement, the attribute information receiving apparatus 50 connects to 
the attribute information providing server 10 by using the URL included in the VID token, 
presents the VID, and acquires the virtual record." Win discloses this within, but not 
limited to, column 3, lines 7-40, "storing, in the database an association of each 
resource to one or more of the roles", column 5, lines 13-20, column 6, lines 58-65, 
column 8, lines 47-63, column 12, lines 32-55 and column 15, lines 35-52. Additionally, 
on page 3 of the Appellant's Appeal Brief, it is stated that the "virtual ID token comprises 
the VID. See specification, page 14, lines 10-11". However, the Appellant's 
Specification does not further define as to what the "virtual ID token" is, but rather its 
composition; thus the cited sections of Win sufficiently disclose the composition of the 
Appellant's "virtual ID token". 

Argument H: "Win does not teach the feature: 'wherein an attribute information 
providing server performs said receiving the request for the virtual ID token, said 
reading the data record from the database, said providing the data record to the 
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user device, said receiving the selection of M attributes, said generating the 
virtual record, said storing the generated virtual record in the database, and said 
providing the virtual ID token to the user device'". 

The Examiner maintains that Win teaches the claimed invention, as cited above, in 
particular but not limited to column 3, lines 7-40, "storing, in the database an association 
of each resource to one or more of the roles", column 5, lines 1 3-20, column 1 1 , lines 
42-64, column 12, lines 32-55 and column 15, lines 35-52. 
Regarding the claim language of "reading the data record from the database", the 
Examiner maintains that column 13, lines 39-52, column 14, lines 3-18 and 34-43, 
column 15, lines 23-52 and column 16, lines 16-28 and Table 1 convey an Administrator 
viewing profiles and assigning roles and proper access privileges. The Administrator is 
"reading" each profile when the assigning occurs. 

Argument I: "In addition with respect to claim 24, Win does not teach the feature: 
'receiving a request comprising the VID for attribute information associated with 
the VID from an attribute information receiving apparatus via the network"'. 

The Examiner maintains the above-cited grounds of rejection, in particular but not 
limited to Figures 10a-10c, column 12, lines 32-55 and column 15, lines 35-52. Further, 
within column 21, lines 9-21 , "the resource may assume that the request is 
authenticated but may not be able to use system roles. It may have to lookup 
authorization attributes from the legacy data store." Verification has occurred but it still 
needs to be determined as to what access privileges are allowed. Thus an attempt to 
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obtain the claimed "attribute information associated with the VID" occurs. Hence, Win 
discloses the claimed invention. 

Argument J: "In addition with respect to claim 24, Win does not teach the feature: 
'reading the virtual record from the database in response to the request 
comprising the VID'". 

Regarding the claim language of "reading the virtual record from the database", the 
Examiner maintains that column 13, lines 39-52, column 14, lines 3-18 and 34-43, 
column 15, lines 23-52 and column 16, lines 16-28 and Table 1 convey an Administrator 
viewing profiles and assigning roles and proper access privileges. The Administrator is 
"reading" each profile when the assigning occurs. 

Argument K: "In addition with respect to claim 24, Win does not teach the feature: 
'after said reading, providing the virtual record to the attribute information 
receiving apparatus via the network'". 

The Examiner maintains the above-cited grounds of rejection, in particular but not 
limited to, column 5, lines 1-12, 66 and 67, column 6, lines 1-16 and 58-65, "Runtime 
Module decrypts information in the cookie and uses it to verify that the user is 
authorized to access the resource. The cookie is also used by the resource to return 
information that is customized based on the user's name and roles" and column 26, 
lines 14-67, "remote computer can load the instructions into its dynamic memory and 
send the instructions over a telephone line via a modem" "Communication interface 918 
provides a two-way data communication coupling to a network link 920 that is 
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connected to a local network 922" and "Network link 920 typically provides data 

communication through one or more networks to other data devices". 

Argument L: "In addition with respect to claim 24, Win does not teach the feature: 

'wherein the attribute information providing server performs said receiving the 

request comprising the VID, said reading the virtual record from the database, 

and said providing the virtual record to the attribute information receiving 

apparatus'". 

The Examiner maintains the above-cited grounds of rejection, in particular but not 
limited to, column 5, lines 1-12, 66 and 67, column 6, lines 1-16 and 58-65, "Runtime 
Module decrypts information in the cookie and uses it to verify that the user is 
authorized to access the resource. The cookie is also used by the resource to return 
information that is customized based on the user's name and roles" and column 26, 
lines 14-67, "remote computer can load the instructions into its dynamic memory and 
send the instructions over a telephone line via a modem" "Communication interface 918 
provides a two-way data communication coupling to a network link 920 that is 
connected to a local network 922" and "Network link 920 typically provides data 
communication through one or more networks to other data devices". 
Regarding the claim language of "reading the virtual record from the database", the 
Examiner maintains that column 13, lines 39-52, column 14, lines 3-18 and 34-43, 
column 15, lines 23-52 and column 16, lines 16-28 and Table 1 convey an Administrator 
viewing profiles and assigning roles and proper access privileges. The Administrator is 
"reading" each profile when the assigning occurs. 
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Argument M: "In addition, with respect to claim 25, Win does not teach the 
feature: 'wherein said providing the virtual record to the attribute information 
receiving apparatus is performed in manner that ensures that the virtual ID is 
concealed from the attribute information receiving apparatus when the virtual 
record is received by the attribute information receiving apparatus'". 
The Examiner asserts that this claimed feature is disclosed by Win within, but not 
limited to column 6, lines 41-54, column 8, lines 23-63, column 9, lines 41-60 and 
column 10, lines 41-63. Within column 6, it is stated that "If the name and password are 
correct, the Authentication Client Module reads the user's roles from the Registry Server 
1 09. It then encrypts and sends this information in a 'cookie' to the user's browser" and 
that "The Runtime Module decrypts information in the cookie and uses it to verify that 
the user is authorized to access the resource. The cookie is also used by the resource 
to return information that is customized based on the user's name and roles". 
Argument N: "In addition with respect to claim 27, Win does not teach the feature: 
'after said providing the virtual record to the attribute information receiving 
apparatus: providing, by the attribute information providing server, an attribute 
certificate to the attribute information receiving apparatus in relation to a new 
transaction between the subscriber and the attribute information receiving 
apparatus, wherein the attribute certificate pertains to the M attributes in the 
virtual record provided to the attribute information receiving apparatus'". 
The Examiner asserts that Win discloses this claimed feature as cited within column 5, 
lines 66 and 67, column 6, lines 1-9, "Users may log in either with a digital certificate or 
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by opening a login page URL with a web browser and entering a name and password", 
column 17, lines 28-37, column 19, lines 56-63, "Remote procedure calls to Registry 
Server 108 are authenticated using digital certificates, encrypted, and encapsulated 
within HTTP transactions" and column 22, lines 41-46, "Access Server 106 and Registry 
Server 108 exchange digital certificates over encrypted link 109. The digital certificates 
are used during the SSL handshake for mutual authentication. Remote procedure calls 
from Access Server 106 to Registry Server 108 are then sent over an encrypted 
HTTP/SSL session". 

Argument O: "Appellant's maintain that claim 28 is likewise not anticipated by 
Win under 35 U.S.C. 102(e)". 

The Examiner asserts that the Appellant's claim limitations are sufficiently disclosed by 
Win, as cited above. As disclosed within Figures 10a-10c, column 17, lines 52-67 and 
column 18, lines 14-27 of Win, "Figure 1 0A is a simplified block diagram of an 
exemplary screen display or HTML page 1002 that is generated by Administration 
Application 1 14 for display browser 100 when a Resource Administration Function is 
selected" and that the "Administration Application 114 will attempt to find and display 
existing information about the resource from Registry Repository 110". This discloses 
the Appellant's claimed "a customer record display unit for displaying the virtual record". 
Further, the claimed "an attribute selection unit for extracting the M attributes from the 
data record prior to said generating the virtual record" is disclosed by Win within, but not 
limited to Figures 10a-10c, column 12, lines 32-55, column 15, lines 35-52 and column 
16, lines 13-58. 
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Additionally, within column 21 , lines 9-27, "the resource may assume that the request is 
authenticated but may not be able to use system roles. It may have to lookup 
authorization attributes from the legacy data store." And "the CGI program may have to 
use REMOTEUSER to get the user's name and password in the legacy system from 
the Registry Server. It can then use this information to login and access the legacy 
resource." The "user's name and password" are the Appellant's "M attributes" and are 
used in conjunction with Win's "authorization attributes" to complete the authorization 
process to enable a user to obtain access. Thus, this procedure is utilized before the 
Appellant's claimed "virtual record" can be obtained. 

Regarding the Appellant's claim language of "a virtual record generation unit for 
performing said generating the virtual record", the Examiner maintains the above-cited 
grounds of rejection and further states that Win additionally discloses the claimed 
invention within column 10, lines 41-55, "profile information may comprise the user's 
name, locale information, IP address, and information defining roles held by the user". 
Said "profile" being the Appellant's claimed "virtual record". 

Regarding the Appellant's "a virtual record referencing unit for referencing the virtual 
record based on the VID prior to said providing the virtual record to the attribute 
information receiving apparatus", the Examiner maintains the above-cited grounds of 
rejection, in particular but not limited to Figures 10a-10c, column 12, lines 32-55 and 
column 15, lines 35-52. Further, within column 21, lines 9-21, "the resource may 
assume that the request is authenticated but may not be able to use system roles. It 
may have to lookup authorization attributes from the legacy data store." Verification has 
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occurred but it still needs to be determined as to what access privileges are allowed. 
Thus the "virtual record" is referenced to complete the transaction. Hence, Win 
discloses the claimed invention. 

Regarding the Appellant's claim language of "providing the virtual record to the attribute 
information receiving apparatus", the Examiner maintains the above-cited grounds of 
rejection, in particular but not limited to, column 5, lines 1-12, 66 and 67, column 6, lines 
1-16 and 58-65, "Runtime Module decrypts information in the cookie and uses it to 
verify that the user is authorized to access the resource. The cookie is also used by the 
resource to return information that is customized based on the user's name and roles" 
and column 26, lines 14-67, "remote computer can load the instructions into its dynamic 
memory and send the instructions over a telephone line via a modem" "Communication 
interface 918 provides a two-way data communication coupling to a network link 920 
that is connected to a local network 922" and "Network link 920 typically provides data 
communication through one or more networks to other data devices". 
Argument P: "In addition, with respect to claim 29, Win does not teach the 
feature: 'wherein the VID token further comprises a URL of the attribute 
information providing server'". 

The Examiner maintains that Win discloses this claimed feature, as disclosed within 
column 5, lines 13-21, 66 and 67, column 6, lines 1-9 and 58-65, column 7, lines 45-57, 
"administrator enters, for each Protected Server 104, an identifier; a name; a protocol; a 
port; a description; the location of an authentication server, URLs that identify pages 
displayed upon logout, upon login, and where restricted resources are encountered; the 
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Protected Server on which cookies are stored", column 8, lines 5-63, "Open the 
Resource designated by this URL" and column 14, lines 34-43, "Each resource is 
defined by a resource identifier value, a resource name, a description, a Web server, a 
Relative URL, and a list of protected resources" and lines 56-67. 
Argument Q: "Appellant's maintain that claim 30 is likewise not anticipated by 
Win under 35 U.S.C. 102 (e)". 

Regarding the additional argument of "with respect to claim 30, Win does not teach the 
feature: 'wherein the VID token further comprises a URL of the attribute information 
providing server'", it is noted that the features upon which appellant relies are not recited 
in the rejected claim(s). Although the claims are interpreted in light of the specification, 
limitations from the specification are not read into the claims. See In re Van Geuns, 988 
F.2d 1181, 26 USPQ2d 1057 (Fed. Cir. 1993). 

Further, the actual claim language of claim 30 is "wherein the attribute information 
providing server is selected from the group consisting of a financial institution, an 
Internet Service Provider (ISP), and a shopping site on the network". The Examiner 
asserts that this claim language is disclosed by Win within column 26, lines 44-67, 
"network link 920 may provide a connection through local network 922 to a host 
computer 924 or to data equipment operated by an Internet Service Provider (ISP) 926". 
It is interpreted by the Examiner that the selection of the "attribute information providing 
server" pertains to only one of the choices being utilized; hence the citation of Win's 
disclosure of "data equipment operated by an Internet Service Provider (ISP)". Thus 
Win discloses the claimed invention. 
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Argument R: "In addition with respect to claim 31, Win does not teach the feature: 
'receiving a selection of M1 attributes of the L attributes in the data record, 
wherein the M1 attributes are not identical to the M attributes'". 

The Examiner asserts that Win discloses this claimed feature, as cited within Figure 
10b, column 3, lines 7-40, "storing, in the database an association of each resource to 
one or more of the roles", column 11, lines 42-64, "Personalized Menu Service 
constructs a personalized menu of resources showing only those resources that the 
user is authorized to access according to the user's profile information", column 12, 
lines 32-55, column 15, lines 35-52, "administrator may complete and submit the data 
entry form for each individual user to be defined". 

Also, within column 3, lines 7-25, "the receiving step further comprises the steps of 
storing, in a database accessible by the Web application server, information describing 
one or more roles and one or more access rights of the user that are stored in 
association with user identifying information, wherein the roles represent the work 
responsibilities carried out by the user in the enterprise, and wherein the access rights 
represent the kinds and levels of access privileges that are held by the user in the 
enterprise". The "one or more roles and one or more access rights of the user" are 
received and are "in association with user identifying information". The "user identifying 
information" being an additional subset of the Appellant's claimed "attributes". 
Argument S: "In addition with respect to claim 31, Win does not teach the feature: 
'storing a second virtual record in the database, wherein the second virtual 
record comprises the M1 attributes, and wherein the attribute information 
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providing server performs said receiving the selection of M1 attributes and said 
storing the second virtual record in the database'". 

The Examiner asserts that Win discloses said "storing a second virtual record in the 
database" as cited within column 3, lines 7-40, "storing, in the database an association 
of each resource to one or more of the roles", column 5, lines 13-20, "central 
repository", column 12, lines 32-55, "Registry Repository 1 10 is the primary data store 
for the system 2. It contains data on Users, Resources, and Roles and configuration 
information required for the system 2 to function. Selected data, for example, 
passwords, are stored in Registry Repository 110 in encrypted form" and column 15, 
lines 35-52, "An administrator may complete and submit the data entry form for each 
individual user to be defined. In response, Registry Server 108 stores information 
defining the user in the Registry Repository 110." The claimed "database" is sufficiently 
disclosed by the, inter alia, "Registry Repository" of Win. 

Argument T: "Appellant's maintain that claim 32 is likewise not anticipated by 
Win under 35 U.S.C. 102 (e)". 

The Examiner asserts that Win discloses the claimed invention as cited within, but not 
limited to column 12, lines 32-55, column 15, lines 35-52 and column 16, lines 13-58, 
"Administrative Privilege value". 

Argument U: "claim 26 is likewise not unpatentable over Win in view of Naor 
under 35 U.S.C. 103(a)". 

With regards to the claim language of "wherein said providing the virtual record to the 
attribute information receiving apparatus is performed using a 1-out-of-N OT (Oblivious 
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Transfer) protocol", the Examiner maintains the above-cited grounds of rejection, in 
particular but not limited to column 1 1 , lines 30-67, "Oblivious Transfer", "1-out-of-2 
Oblivious Transfer", column 12, lines 1-3 and 34-44, "the notion of Oblivious Transfer 
has been extended to a protocol herein denoted as 1-out-of-2 Proxy Oblivious 
Transfer", column 13, lines 42-55, column 17, lines 35-66 and column 19, lines 52-64. 
The elaboration of the functionality of the "1-out-of-N OT (Oblivious Transfer) protocol", 
within the cited sections of Naor, provides sufficient grounds of rejection for this claim. 
The Appellant further argues "that the Examiner's stated reason for modifying Win by 
the alleged teaching of Naor is not persuasive, because the Examiner stated reason, 
and the Examiner's citation to Naor, col. 4, 46-58, is unrelated to the 1-out-of-N OT 
(Oblivious Transfer) protocol recited in the preceding feature of claim 26". However, the 
Appellant does not elaborate as to how the claimed "1-out-of-N (Oblivious Transfer) 
protocol" is different from the Oblivious Transfer protocols disclosed within Naor; thus it 
is interpreted by the Examiner that the claimed "1-out-of-N (Oblivious Transfer) protocol" 
is analogous to the protocols disclosed within Naor and cited as grounds of rejection for 
claim 26. 

(11) Related Proceeding(s) Appendix 

No decision rendered by a court or the Board is identified by the examiner in the 
Related Appeals and Interferences section of this examiner's answer. 
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For the above reasons, it is believed that the rejections should be sustained. 
Respectfully submitted, 
/Jeremiah Avery/ 
Examiner, Art Unit 2431 

Conferees: 

/Christopher A. Revak/ 
Primary Examiner, Art Unit 2431 
/Kimyen Vu/ 

Supervisory Patent Examiner, Art Unit 2435 



